DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause
Client Alert | 2 min read | 08.20.24
On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. The Clause will require every defense contractor that handles Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”) to assess and certify compliance with select CMMC security requirements. The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:
- Instructing Contracting Officers to fill in the required CMMC Level in each in-scope DoD contract.
- Requiring contractors to “maintain the CMMC level required by [the] contract for the duration of the contract for all information systems” that handle FCI or CUI.
- Requiring contractors to notify the Contracting Officer within 72 hours if there are any “lapses in information security” or changes to the status of the CMMC certification—including in self-assessment certification.
- Requiring contractors to affirm “continuous compliance” on an annual basis or when changes to the status of their CMMC certifications occur.
- Requiring that contractors “ensure” that subcontractors have current CMMC certificates or self-assessments at the required flowdown level.
Heightened cybersecurity requirements and greater scrutiny on compliance will increase risks and potential consequences for defense contractors, particularly in the context of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. Thus, contractors need to be prepared for the upcoming implementation of CMMC. Comments on the proposed rule will be accepted for 60 days.
The 7021 Clause has been dormant during the CMMC rulemaking process, but DoD has stated that it will become active and begin appearing in DoD contracts when the August 2024 Proposed Rule is finalized. However, it is likely that not all contractors will be required to fully comply with all CMMC requirements immediately. The August 2024 Proposed Rule affirms that, as outlined in DoD’s December 2023 CMMC Proposed Rule, CMMC requirements are slated to roll out to contractors in phases over a three year period.
Contacts
Insights
Client Alert | 4 min read | 12.04.25
District Court Grants Preliminary Injunction Against Seller of Gray Market Snack Food Products
On November 12, 2025, Judge King in the U.S. District Court for the Western District of Washington granted in part Haldiram India Ltd.’s (“Plaintiff” or “Haldiram”) motion for a preliminary injunction against Punjab Trading, Inc. (“Defendant” or “Punjab Trading”), a seller alleged to be importing and distributing gray market snack food products not authorized for sale in the United States. The court found that Haldiram was likely to succeed on the merits of its trademark infringement claim because the products at issue, which were intended for sale in India, were materially different from the versions intended for sale in the U.S., and for this reason were not genuine products when sold in the U.S. Although the court narrowed certain overbroad provisions in the requested order, it ultimately enjoined Punjab Trading from importing, selling, or assisting others in selling the non-genuine Haldiram products in the U.S. market.
Client Alert | 21 min read | 12.04.25
Highlights: CMS’s Proposed Rule for Medicare Part C & D (CY 2027 NPRM)
Client Alert | 11 min read | 12.01.25
